Misconfiguration 


Objectives 


e Understand what misconfiguration is 
e Discuss the risks and threats around misconfiguration 


What is a misconfiguration 


¢Misconfiguration is essentially incorrectly configuring 
software safeguards 


e Typically web applications 
°#5 on OWASP Top 10 
e Can be anything else however 


Examples 


e Disabling default accounts - wireless 

e Not setting update schedule - Windows, Linux 
e Removing setup files - Wordpress 

e Closing open ports - Linux 

e Using insecure ports - LDAP 

e Not setting a password 

e Unnecessary services enabled - Linux 

e Default certificates - Lenovo 


Discussion 


e Attackers are usually external 
e intentional or unintentional - Shodan 


e Exploitability is easy since the admin “forgot” to set 
something up 


Can happen anywhere in the application stack 


e Risks and threats vary depending on what the 
application has access to 


Top 10 2013-A5-Security 
Misconfiguration Scenarios 


eScenario #1: The app server admin console is automatically installed and not 
removed. Default accounts aren’t changed. Attacker discovers the standard 
admin pages are on your server, logs in with default passwords, and takes over. 


eScenario #2: Directory listing is not disabled on your server. Attacker discovers 
she can simply list directories to find any file. Attacker finds and downloads all 
your compiled Java classes, which she decompiles and reverse engineers to get 


all your custom code. She then finds a serious access control flaw in your 
application. 


eScenario #3: App server configuration allows stack traces to be returned to 


users, potentially exposing underlying flaws. Attackers love the extra information 
error messages provide. 


eScenario #4: App server comes with sample applications that are not removed 
from your production server. Said sample applications have well known security 
flaws attackers can use to compromise your server. 


